Switching

 View Only
last person joined: 2 days ago 

Ask questions and share experiences about EX and QFX portfolios and all switching solutions across your data center, campus, and branch locations.
  • 1.  Output ACL not allowed on lo0 on EX4200

    Posted 09-22-2021 14:42
    Hi,
    I'm new to Juniper ACL, and find something can be easily done on Cisco switch but so difficult on Ex4200 switch.

    I tried to stop all the outgoing traffic from 10.33.108.128/28 behind the switch from going out, but allow all other traffic within 10.33.108.0/22 on the switch. And here is how I tried to do this:
    set firewall family inet filter out-going term 1 from source-address 10.33.108.128/28

    set firewall family inet filter out-going term 1 then discard

    set firewall family inet filter allowed-traffic term 2 from source-address 10.33.108.0/22

    set firewall family inet filter allowed-traffic term 2 then accept

    set int lo0 unit 0 family inet filter output out-going
    set int lo0 unit 0 family inet filter output allowed-traffic

    but has errors when I try to commit:
    root# commit
    [edit interfaces lo0 unit 0 family inet]
    'filter'
    Output Filters are not supported on loopback interface lo0
    error: configuration check-out failed

    What cause this problem? Are there any better way to solve the problem?

    Thanks a lot in advance,
    Keith



    ------------------------------
    KEITH GAO
    ------------------------------


  • 2.  RE: Output ACL not allowed on lo0 on EX4200

    Posted 09-23-2021 05:49
    Whether you can apply a filter on input or output or both is a function of the chip set deployed.

    Note that Junos distinguishes between two types of traffic to filter
    Transit traffic comes in one port of the device and then will egress another port based on the routing and forwarding table.
    Self traffic is that which one end of the connection is the Junos device itself.

    Firewall filters on the lo0 interfaces are NOT for transit traffic you are trying to control.  Loopback filters only apply to SELF traffic of the device.

    So your filter will need to apply to the appropriate transit ports in the path of the traffic you want to control.

    ------------------------------
    Steve Puluka BSEET - Juniper Ambassador
    IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
    http://puluka.com/home
    ------------------------------



  • 3.  RE: Output ACL not allowed on lo0 on EX4200

    Posted 09-23-2021 12:14
    Thanks Steve for sharing the knowledge on filter on lo0!

    I googled around the also find some limitations on the filter on lo0, and I changed the filter and applied to the interface I'm connected to but it still not working.
    Here is the configuration:

    set firewall family ethernet-switching filter egress-all term block-all from source-address 10.33.108.128/28

    set firewall family ethernet-switching filter egress-all term block-all then discard

    set firewall family ethernet-switching filter egress-all term default then accept

    set interfaces ge-0/0/10 unit 0 family ethernet-switching filter output egress-all

    I have a laptop with ip 10.33.108.138 connecting to port ge-0/0/10, but it still can ping out to 4.2.2.2.

    I think it might be caused by missing protocol icmp, so I added the following and it still not working.

    set firewall family ethernet-switching filter egress-all term block-all from protocol icmp

    Question: If I added a log for my filter, whether the log only exist by triggering the filter?

    Thanks again for all advaices.
    Keith

    ------------------------------
    KEITH GAO
    ------------------------------



  • 4.  RE: Output ACL not allowed on lo0 on EX4200
    Best Answer

    Posted 09-23-2021 16:16
    Unless I am missing something, you should be applying the filter in the "input" direction on ge-0/0/10 instead of "output" as the traffic is ingressed into port ge-0/0/10.

    If you want an egress filter then so that you block the icmp on the return trip you could probably set that first term's match criteria to destination address rather than source. 

    The log statement will go in the "then" part of the filter terms. You can also add counters as well, which are good to just see if that term is being hit.


  • 5.  RE: Output ACL not allowed on lo0 on EX4200

    Posted 09-23-2021 16:16
    I have also seen instances where transit traffic also has to be permitted in any filter on the lo0 interface if it is "snooping" such as dhcp relay traffic.


  • 6.  RE: Output ACL not allowed on lo0 on EX4200

    Posted 09-23-2021 19:56
    As Keith noted, your filter for this flow would be on the input side.
    Device source address > input on port

    The egress side is for traffic destined to the device, so on that side the device ip will be in the destination address not the source address.

    dhcp forwarding is self traffic, so would be covered by loopback filters.  The dhcp packet is seen and forwarded by the Junos device and thus covered by filtering at that interface.

    ------------------------------
    Steve Puluka BSEET - Juniper Ambassador
    IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
    http://puluka.com/home
    ------------------------------



  • 7.  RE: Output ACL not allowed on lo0 on EX4200

    Posted 09-24-2021 05:26
    Hi,
    For EX4200 series you can apply the filter as vlan filter in ingress direction to achive what you want to do.

    set vlans VLANXXX filter input FILTER-XXX

    ------------------------------
    MEHMET SUEL
    ------------------------------



  • 8.  RE: Output ACL not allowed on lo0 on EX4200

    Posted 09-24-2021 11:48
    Thanks cordscott! Yes, it works after I changed to input.

    Just curious, should I use output for the incoming traffic?

    Thanks everyone!

    ------------------------------
    KEITH GAO
    ------------------------------



  • 9.  RE: Output ACL not allowed on lo0 on EX4200

    Posted 09-24-2021 12:55
    No output = outgoing or egress and input =incoming or ingress.

    Think of it relative to the port itself, not the traffic. So if there is a device on your ge-0/0/0 port for example, and you want to filter traffic from the attached device, you would create a firewall filter with match the address of that device as source and set the action to discard the traffic. The filter would be applied to the interface in the "input" direction.

    In this scenario you'd use a filter in the "output" direction to match traffic destined to that device, matching on it destination address. But this would only block traffic initiated by other endpoints or possible return traffic that is stateful in nature that was initiated by the device on your port.